5 Common WordPress Setup Mistakes (And How to Fix Them)

Many web hosts provide the convenience of one-click installation, which is awesome and arguably under-appreciated. It makes setting up a decent looking site possible for a wide range of people who wouldn’t otherwise go through with it.

Of course, the problem with quick installation solutions is that the setup isn’t all that thorough. After all, the installation process is designed to only meet minimum requirements. While you’ll end up with a functional WordPress site, it might not be of the best quality.

Often, the process will leave your site with setup related issues. Today, we’ll address five of the most common WordPress setup mistakes and offer simple solutions. After all, while WordPress is designed to be used out of the box, it’s important that you have an understanding of what’s included in that box, so to speak, if you want to have a clean install that prioritizes security and user experience.

1. Selecting the Wrong Subfolder

Have you ever gone to a website and noticed that the blog is installed in a subfolder (like http://www.yoursitename.com/blog/)?

This is perfectly normal and acceptable. However, you can always tell when someone is a WordPress newbie when you see this instead: http://www.yoursitename.com/blog/wordpress/.

What’s the big deal, you might be wondering? So what if there’s an extra subfolder. That’s not a major issue, right? Well, no. It’s not a major issue, but it is redundant and unnecessary. It shows that the webmaster failed to remove the contents of the WordPress installation folder and place the files into a pre-named “blog” folder. But an even simpler method is to just upload the WordPress folder as it is and rename it to “blog” or whatever else you want to call it. This might seem nit-picky, but it’s a common setup mistake that you should avoid if you want to create a clean install.

2. Failing to Modify .htaccess

Protecting your site is important for its continued success. You don’t want to build up a good following only to have the site taken down by hackers!

First thing’s first: set up folder permissions. This is straightforward and can easily be done within your web host’s control panel. Here’s a to-the-point rundown of the process. It makes it so only the folders that contain content you want the world to see will be viewable. The rest is password protected. Note: you will need an FTP client to complete this and the following steps. WordPress.org offers more information on this.

Once you’ve got that out of the way, you need to protect your WordPress configuration and login files. Let’s start with wp-config first.

You’ll need to download your .htaccess file. The .htaccess file is a configuration file that many different web servers use to override global directory configuration settings. You should find it in the root directory of your site. If you’ve installed WordPress in a subdirectory, however, the file can be found in the topmost folder where the installation resides. Open the file.

Next, paste the following text directly into the file. Don’t try to type it out yourself because you may make a typo. Copy and paste is your friend!

# protect wpconfig.php
order allow,deny
deny from all

You can save and upload the file back to your site now or make a few additional modifications to beef up site security even more. A really easy one is to disable the server signature. This hides the server version number and operating system info from prying eyes. And trust us on this: if someone is looking at this info, he or she may very well be someone trying to sneak their way into your site’s files through the backdoor. Then who knows what could happen?

To make this mod, paste this text into your .htaccess file:

# disable the server signature
ServerSignature Off

Another quick change is to disable directory browsing. This way, people trying to poke around on your site won’t be able to dig into the directories on your web host you don’t want them to see.

Here’s your quick fix for that:

# disable directory browsing
Options All -Indexes

The last step for securing your site is to protect the .htaccess file itself from prying eyes and malicious users.

Add this text before you save it and upload the file back onto your site:

# protect the htaccess file
order allow,deny
deny from all
satisfy all

3. Failing to Establish a Backup Plan

If you don’t have a backup plan for your WordPress site, you’re playing with fire. You need to back up all of your files, including the WordPress theme (and any modifications you’ve made to it) your images, your posts, your categories and tags, your robots file, the aforementioned .htaccess file, and the entire database itself. Failing to do this means nothing is standing in the way of you losing literally everything on your site.

You basically have two options when it comes to backing up WordPress sites: server-side backups and plugins. Server-side backups are provided by your web host. You can schedule them to happen every day. Just make sure the host uses a different server for backups than those they use to host their sites. You should also regularly download a copy of your site to your own hard drive for extra safe keeping.

A plugin is convenient but it uses PHP to connect with your server. This is exactly how most hackers would attempt to get into your site, so it’s not necessarily a safe option. All it would take is for someone to hack a plugin author’s WordPress account, add a few lines of code to the plugins, and sit back and wait for people (like you!) to download them. You could have a plugin installed on your site right now that is providing someone out there backdoor access to your info.

Even if you wanted to take your chances with a plugin-based backup system, some backup plugins store backups in the wp-content folder. So if your site goes down, the backups go down, too! Not always a reliable option.

Having said that, my backup service of choice for individual sites is VaultPress. Although it uses a plugin, the service is brought to us by the fine folks at Automattic (the guys who keep WordPress ticking) and I have no concerns about security.

If you have multiple sites then I have just one word for you: ManageWP. Yep — as part of our service we offer automatic scheduled backups for all of your sites!

4. Choosing the Wrong Theme

There are thousands of different themes to choose from but selecting a theme just because it has the most bells and whistles isn’t the best idea.

Think about the end user’s experience first and foremost. What features would make the site appealing to your target audience? What layout is the most intuitive for the type of content you’re offering? For instance, selecting a theme designed for a photography blog when all you post is text just won’t work.

Also, make sure basic elements like text color and link color are intuitive — you can’t go wrong with black and blue — and that they’re compatible with most browsers. If you throw a lot of time at theme customization, you need to make sure the site will appear as you intend.

If you’re going to buy a theme, make sure it comes with excellent documentation and support. You shouldn’t expect anything less if you’re shelling out cash. Also, finding a theme that relates to your industry in some way is often a good choice.

WooThemes are an awesome premium theme developer — this is their flagship theme, Canvas.

There are themes available that fit just about every niche so do your research before making a purchase. Check out our themes of the month post series for an awesome selection of free themes.

5. Choosing a Poor Permalink Structure

Permalinks are the, well, permanent links associated with each blog post and page on your WordPress site. They typically come after the “/” in your blog folder. The default structure is usually an ID number that does nothing to tell readers what the page they’re visiting is about and it gives search engines zilch to work with (this means say goodbye to SEO).

Instead of sticking to the default permalink structure, change it to something like “/%postname%/” or “/%category%%postname%/” Both of these give readers and search engines the information they need. Many SEO plugins offer tools to set this feature but you don’t need them for that: you can easily set the permalinks to whatever you want by going to your Dashboard and clicking Settings > Permalinks.

Conclusion

While you may face other issues when setting up a WordPress site, I consider these to be the most common. So the next time you opt for a quick install solution, remember that you may need to go in and manually set up a few things and make a few changes if you want your site to look, feel, and function like you’re a real pro.

Tom Ewer

Tom Ewer is the founder of WordCandy.co. He has been a huge fan of WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he's not working, you're likely to find him outdoors somewhere – as far away from a screen as possible!

Subscribe to our newsletter!

Great stories straight into your inbox.

Leave this field empty if you're human:

21Comments

ro

If an error was made by saving certain theme color settings etc. – is it possible to roll back in time by 6 hours to get everything the way it was. And how to do that? The error is not related to a specific post but to the entire look of the front page.

Netz

Tom Ewer

Anigel

Your .htaccess edits to protect wp-config.php and htaccess files look wrong. There should normally be a file element around the order allow,deny etc so that apache knows what file you are denying access to.

Tom Ewer

McBart

That was the reason I commented. Thanks!

5 years ago

Shane

Hi there,

I use Transmit from Panic (http://panic.com/transmit/) – an awesome FTP client. You can open your .htaccess (or any file) into your specified application to edit it, then save it from that app, and Transmit uploads it right back to the site. It cuts out a few extra steps most of the time. I found this to be a solid solution for making fast changes through FTP.

Debra

I prefer using FTP because I then have the file where I made changes on my desktop in case something goes wrong. I can then undo whatever changes I made in Editpad. I do this when I am editing the code in themes too.

Your email address will not be published. Required fields are marked *

Comment

Name

Email

Website

Sign me up for the newsletter!

Don't want to miss anything?

Leave this field empty if you're human:

Subscribe to our newsletter!

We use cookies to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted advertisements.
Read about how we use cookies and how you can control them by clicking "Cookie Settings". If you continue to use this site, you consent to our use of cookies.

Cookie Settings

Our sites use cookies and other tracking technologies to let us know how you interact with our services, to enrich your experience and the relevance of our advertising.
This tool allows you to out out of such tracking. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with essential services and functionality, including identity verification, service continuity and site security. Opt-Out is not available.

Marketing Cookies

Make sure we do not repeat the same advertising messages, that the messages are more relevant to you and your interests, and allow us to measure our advertising effectiveness.

Analytics Cookies

These cookies collect anonymous data on how visitors use our site and how it performs. We use these to improve our products, services and user experience.

Support Cookies

These cookies are used to track user activity and failed actions, so we could have more data when we start troubleshoot your issues. Powers interactive services such as chat support and customer feedback tools.